Pieter Donche wrote:
On Thu, 4 Sep 2008, Tom Eastep wrote:It is the name of a set of counters and is only meaningful if you have more than one Limit rule. Limit rules that share the same set name share the same set of counters.- I do not understand well what the 'set name' means (the SSHA) ...OK. The technique is called 'Limiting Per-IP Connection Rate'. From this I understand the limit (e.g. max 3 per minute) is applied independently for different incoming IPs. Is that correct?
That is correct.
Is the 'set of counters' for a given minute, the array of SSH-access requesting IP-addresses with their number of trials recorded so far in the minute?
I haven't researched how Netfilter actually implements this. Remember, the Limit action is just taking advantage of the Netfilter 'recent match'; Shorewall doesn't implement the matching.
- Someone else on the mailing list reported the use of the 'RATE LIMIT' optional field in a rules line, e.g.: SSH/ACCEPT net $FW - - - - 1/min:2
"You should replace the third line with that new rule. You probably also want to replace the fourth rule as well."- To enable Limits, an original line as below ACCEPT net serv tcp 22 is replaced by Limit:info:SSHA,3,60 net serv tcp 22So, was this RATE LIMIT field introduced to enable a combination of rule syntax using macro's, such as SSH/ACCEPT in the Action field with a Limit Action?
The RATE LIMIT field was introduced so that users could limit the rate at which connections match a particular rule.
- It is not clear to me what the 'burst' parameter means in the
[-|rate/{sec/min}[:burst] man page description (note: a ] too short..)
The Netfilter rate limiting algorithm is explained under the LOGRATE parameter in the shorewall.conf manpage and in the excellent iptables tutorial by Oskar Andreasson (http://iptables-tutorial.frozentux.net/).
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
